diff options
Diffstat (limited to 'meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch')
| -rw-r--r-- | meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch | 95 |
1 files changed, 95 insertions, 0 deletions
diff --git a/meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch b/meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch new file mode 100644 index 0000000000..fa25fcd2db --- /dev/null +++ b/meta/recipes-core/expat/expat/CVE-2023-52425-0008.patch @@ -0,0 +1,95 @@ +From 8ddd8e86aa446d02eb8d398972d3b10d4cad908a Mon Sep 17 00:00:00 2001 +From: Snild Dolkow <snild@sony.com> +Date: Fri, 29 Sep 2023 10:14:59 +0200 +Subject: [PATCH] Try to parse even when incoming len is zero + +If the reparse deferral setting has changed, it may be possible to +finish a token. + +CVE: CVE-2023-52425 + +Upstream-Status: Backport [https://github.com/libexpat/libexpat/commit/8ddd8e86aa446d02eb8d398972d3b10d4cad908a] + +Signed-off-by: Meenali Gupta <meenali.gupta@windriver.com> +--- + lib/xmlparse.c | 55 ++++++++------------------------------------------ + 1 file changed, 8 insertions(+), 47 deletions(-) + +diff --git a/lib/xmlparse.c b/lib/xmlparse.c +index 8cf32e0..f4ff66e 100644 +--- a/lib/xmlparse.c ++++ b/lib/xmlparse.c +@@ -1896,46 +1896,8 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + parser->m_parsingStatus.parsing = XML_PARSING; + } + +- if (len == 0) { +- parser->m_parsingStatus.finalBuffer = (XML_Bool)isFinal; +- if (! isFinal) +- return XML_STATUS_OK; +- parser->m_positionPtr = parser->m_bufferPtr; +- parser->m_parseEndPtr = parser->m_bufferEnd; +- +- /* If data are left over from last buffer, and we now know that these +- data are the final chunk of input, then we have to check them again +- to detect errors based on that fact. +- */ +- parser->m_errorCode +- = callProcessor(parser, parser->m_bufferPtr, parser->m_parseEndPtr, +- &parser->m_bufferPtr); +- +- if (parser->m_errorCode == XML_ERROR_NONE) { +- switch (parser->m_parsingStatus.parsing) { +- case XML_SUSPENDED: +- /* While we added no new data, the finalBuffer flag may have caused +- * us to parse previously-unparsed data in the internal buffer. +- * If that triggered a callback to the application, it would have +- * had an opportunity to suspend parsing. */ +- XmlUpdatePosition(parser->m_encoding, parser->m_positionPtr, +- parser->m_bufferPtr, &parser->m_position); +- parser->m_positionPtr = parser->m_bufferPtr; +- return XML_STATUS_SUSPENDED; +- case XML_INITIALIZED: +- case XML_PARSING: +- parser->m_parsingStatus.parsing = XML_FINISHED; +- /* fall through */ +- default: +- return XML_STATUS_OK; +- } +- } +- parser->m_eventEndPtr = parser->m_eventPtr; +- parser->m_processor = errorProcessor; +- return XML_STATUS_ERROR; +- } + #ifndef XML_CONTEXT_BYTES +- else if (parser->m_bufferPtr == parser->m_bufferEnd) { ++ if (parser->m_bufferPtr == parser->m_bufferEnd) { + const char *end; + int nLeftOver; + enum XML_Status result; +@@ -2006,15 +1968,14 @@ XML_Parse(XML_Parser parser, const char *s, int len, int isFinal) { + return result; + } + #endif /* not defined XML_CONTEXT_BYTES */ +- else { +- void *buff = XML_GetBuffer(parser, len); +- if (buff == NULL) +- return XML_STATUS_ERROR; +- else { +- memcpy(buff, s, len); +- return XML_ParseBuffer(parser, len, isFinal); +- } ++ void *buff = XML_GetBuffer(parser, len); ++ if (buff == NULL) ++ return XML_STATUS_ERROR; ++ if (len > 0) { ++ assert(s != NULL); // make sure s==NULL && len!=0 was rejected above ++ memcpy(buff, s, len); + } ++ return XML_ParseBuffer(parser, len, isFinal); + } + + enum XML_Status XMLCALL +-- +2.40.0 + |